[SM2.2: 53] Enforce gates with measurements and track exceptions.
Software lifecycle security gates are enforced for every project, so to pass a gate, a project must either meet an established measure or obtain a waiver. Even recalcitrant project teams must now play along and the SSG tracks exceptions. In some cases, gates are directly associated with regulations, contractual agreements, and other obligations, with exceptions tracked as required by statutory or regulatory drivers. In other cases, gate measures yield key performance indicators that are used to govern the process. Allowing any projects to automatically pass or automatically granting waivers without due consideration defeats the purpose of enforcing a gate. Even seemingly innocuous software projects, such as a new mobile client for an existing back end or an application ported to a cloud environment from an internal data center, must successfully pass the prescribed security gates in order to progress or remain in production. Similarly, APIs, frameworks, libraries, bespoke code, microservices, container configurations, and so on are all software that must traverse the security gates. Remember, it’s possible, and often very useful, to have enforced gates both before and after the development process itself.